As described previously, SELinux uses type enforcement to describe the state of
your system. This is done by giving each resource on your system (be it a
process, a network port, a file or directory) a specific type and describe the
rules how types can work with each other.

For instance, the allow-rule to allow all regular users (which are in the
user_t domain) to execute files with the bin_t label:

allow user_t bin_t:file { read execute open };

Other supported rules are

dontaudit will disable the logging of the denial message(s)

auditallow will allow the access but will also log it (by default,
allowances are not logged)

neverallow forces that a certain allow rule cannot be granted. Even
though SELinux is a positive security model (white listing), sometimes
neverallow rules might be needed. But generally you will not often see them.

As you can imagine, defining the rules for an entire system is very
resource-intensive if you want to do it right. It not only requires a deep
insight in how the system works, but also a lot of rule writing and testing. But
even more time consuming is that you will write the same rules over and over
again for different domains. To help developers with policy writing, a
reference policy has been brought to life with the following required
functionalities:

development of SELinux policy rules should be centralized even for different
distributions

a macro language should be supported that makes it easier to write new
policies

the policies should be modular, allowing for additional rules to be added or
removed

By centralizing the SELinux policy rule development, SELinux users will have the
same domain naming conventions as on other distributions. This makes debugging a
lot easier, documenting a lot less distribution-specific and makes it a bit
easier for end users to get acquainted with SELinux.

Tresys Reference Policy

The reference policy by choice is the Tresys SELinux Reference
Policy. This reference policy - currently at major version 2 - is used by
almost all SELinux supporting distributions, including Gentoo Hardened, Fedora,
RedHat Enterprise Linux, Debian, Ubuntu and more. This implementation not only
offers the modular policies that users are looking for, but also enhances the
SELinux experience with additional development tools that make it easier to
work with the SELinux policies on your system.

The reference policy starts off with a base policy called
base.pp. This is a collection of policies needed to get a system up
and running and also offers the necessary functions towards the policy modules.
In Gentoo Hardened, this base policy is offered by selinux-base-policy.

The policy modules themselves also use the .pp extension, but are
named more appropriately towards their content. For instance, the policy module
that contains all policy rules for the screen application is called
screen.pp. However, don't count on all policy modules to be named
after the tool: the policy module that contains the wpa_supplicant
specific rules is called networkmanager.pp. In Gentoo Hardened, the
modular policies are available in the sec-policy category and are
named selinux-<module>.

To get a list of running modules, run semodule:

~# semodule -l
dbus 1.14.0
dnsmasq 1.9.0
hal 1.13.0
[...]

Toggle Policy States

As policies are built off from a "deny all" perspective, you can imagine that
there are thousands of rules already available in the reference policy.
Sometimes the developers know that particular rules will be active on one system
and inactive on another. Although this can be accomplished by developing two
different modules, SELinux development has opted to support SELinux
booleans.

SELinux booleans allow for rules to be conditionally applied, based on the
administrator's requirements. You can get a list of supported booleans through
getsebool:

If you need to change a boolean, you can use togglesebool to switch its
value, or setsebool so explicitly set its state:

~# getsebool user_dmesg
user_dmesg --> off
~# togglesebool user_dmesg
user_dmesg: active
(Now, the state is set to 'on')
~# getsebool user_dmesg
user_dmesg --> on
(Explicitly set the value to 'off')
~# setsebool user_dmesg off

Policy Files and Locations

On Gentoo Hardened, the SELinux policy files are stored in
/usr/share/selinux/strict or
/usr/share/selinux/targeted (depending on your SELinux
configuration). Within this location, you will find:

a file called base.pp, which is the SELinux base policy,

one or more files with extension .pp, which are the SELinux
policy modules, and

an include/ folder which contains the necessary files for
SELinux module developers to build additional modules for this system

Policy Versions

The SELinux policy infrastructure that is used (i.e. the capabilities and
functionalities that it offers) isn't in its first version. If you would run
sestatus now, you'll notice that we are using policy version 24. Every
time functionalities or capabilities are added which require changes to the
internal structure of the compiled policy, this version is incremented. The
following is an overview of the policy versions' history.